<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <title>加密存储模型</title>
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-base.css" />
<link media="all" rel="stylesheet" type="text/css" href="styles/03e73060321a0a848018724a6c83de7f-theme-medium.css" />

 </head>
 <body class="docs"><div class="navbar navbar-fixed-top">
  <div class="navbar-inner clearfix">
    <ul class="nav" style="width: 100%">
      <li style="float: left;"><a href="security.database.connection.html">« 连接数据库</a></li>
      <li style="float: right;"><a href="security.database.sql-injection.html">SQL 注入 »</a></li>
    </ul>
  </div>
</div>
<div id="breadcrumbs" class="clearfix">
  <ul class="breadcrumbs-container">
    <li><a href="index.html">PHP Manual</a></li>
    <li><a href="security.database.html">数据库安全</a></li>
    <li>加密存储模型</li>
  </ul>
</div>
<div id="layout">
  <div id="layout-content"><div id="security.database.storage" class="sect1">
    <h2 class="title">加密存储模型</h2>
    <p class="simpara">
     SSL/SSH 能保护客户端和服务器端交换的数据，但 SSL/SSH
     并不能保护数据库中已有的数据。SSL 只是一个加密网络数据流的协议。
    </p>
    <p class="simpara">
     如果攻击者取得了直接访问数据库的许可（绕过 web
     服务器），敏感数据就可能暴露或者被滥用，除非数据库自己保护了这些信息。对数据库内的数据加密是减少这类风险的有效途径，但是只有很少的数据库提供这些加密功能。
    </p>
    <p class="simpara">
     解决这个问题最简单的方法是创建自己的加密包，然后在 <abbr title="PHP: Hypertext Preprocessor">PHP</abbr> 脚本中使用它。<abbr title="PHP: Hypertext Preprocessor">PHP</abbr>
     可以通过一些扩展来帮助你解决这个问题，比如 <a href="book.openssl.html" class="link">OpenSSL</a> 和 <a href="book.sodium.html" class="link">Sodium</a>，涵盖了多种加密算法。脚本在将数据插入数据库之前对其进行加密，并在检索时对其进行解密。更多关于加密工作的例子请参见参考文献。
    </p>

    <div class="sect2" id="security.database.storage.hashing">
    <h3 class="title">Hashing</h3>
     <p class="simpara">
      In the case of truly hidden data, if its raw representation is not needed
      (i.e. will not be displayed), hashing should be taken into consideration.
      The well-known example for hashing is storing the cryptographic hash of a
      password in a database, instead of the password itself.
     </p>
     <p class="simpara">
      The <a href="ref.password.html" class="link">password</a> functions
      provide a convenient way to hash sensitive data and work with these hashes.
     </p>
     <p class="simpara">
      <span class="function"><a href="function.password-hash.html" class="function">password_hash()</a></span> is used to hash a given string using the
      strongest algorithm currently available and <span class="function"><a href="function.password-verify.html" class="function">password_verify()</a></span>
      checks whether the given password matches the hash stored in database.
     </p>
     <div class="example" id="example-435">
      <p><strong>示例 #1 Hashing password field</strong></p>
      <div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB">&lt;?php<br /><br /></span><span style="color: #FF8000">//&nbsp;存储密码散列<br /></span><span style="color: #0000BB">$query&nbsp;&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">"INSERT&nbsp;INTO&nbsp;users(name,pwd)&nbsp;VALUES('%s','%s');"</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">pg_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$username</span><span style="color: #007700">),<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">password_hash</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">PASSWORD_DEFAULT</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">$result&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">pg_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$connection</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">//&nbsp;发送请求来验证用户密码<br /></span><span style="color: #0000BB">$query&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT&nbsp;pwd&nbsp;FROM&nbsp;users&nbsp;WHERE&nbsp;name='%s';"</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">pg_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$username</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">$row&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">pg_fetch_assoc</span><span style="color: #007700">(</span><span style="color: #0000BB">pg_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$connection</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$query</span><span style="color: #007700">));<br /><br />if&nbsp;(</span><span style="color: #0000BB">$row&nbsp;</span><span style="color: #007700">&amp;&amp;&nbsp;</span><span style="color: #0000BB">password_verify</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$row</span><span style="color: #007700">[</span><span style="color: #DD0000">'pwd'</span><span style="color: #007700">]))&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">'Welcome,&nbsp;'&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #0000BB">htmlspecialchars</span><span style="color: #007700">(</span><span style="color: #0000BB">$username</span><span style="color: #007700">)&nbsp;.&nbsp;</span><span style="color: #DD0000">'!'</span><span style="color: #007700">;<br />}&nbsp;else&nbsp;{<br />&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;</span><span style="color: #DD0000">'Authentication&nbsp;failed&nbsp;for&nbsp;'&nbsp;</span><span style="color: #007700">.&nbsp;</span><span style="color: #0000BB">htmlspecialchars</span><span style="color: #007700">(</span><span style="color: #0000BB">$username</span><span style="color: #007700">)&nbsp;.&nbsp;</span><span style="color: #DD0000">'.'</span><span style="color: #007700">;<br />}<br /><br /></span><span style="color: #0000BB">?&gt;</span>
</span>
</code></div>
      </div>

     </div>
    </div>
   </div></div></div></body></html>